Kerberos authentication and Time Skew: does not always work
Henry B. Hotz
hotz at jpl.nasa.gov
Wed Sep 5 20:16:19 EDT 2007
On Sep 4, 2007, at 9:15 AM, krbdev-request at mit.edu wrote:
> Date: Tue, 4 Sep 2007 09:56:11 -0400
> From: "JC Ferguson" <jc at acopia.com>
> Subject: RE: Kerberos authentication and Time Skew: does not always
> work
> To: <jaltman at secure-endpoints.com>
> Cc: krbdev at mit.edu
> Message-ID:
> <E53CB38C90F105419EBB3842054576E61B1027 at exchange1.Acopianet.com>
> Content-Type: text/plain; charset="US-ASCII"
>
>
>>> Ok - but why does a clock skewed client work fine when the
>> service host is windows? Also, i have noticed a similar,
>> succcessful behavior for Netapp NAS devices.
>>>
>>> Thank you,
>>> /jc
>>
>> It shouldn't matter what the service host is as long as the
>> service host clock is synchronized with the KDC. If the
>> service host clock is not synchronized with the KDC, Kerberos
>> will not work.
>
> I agree. But, for me, it is not working. The service host I am
> developing uses the MIT KRB5 1.3.6 library and it is not able to
> authenticate a skewed client with any sort of reliability (50% success
> rate), even when its clock is in sycn with the KDC. Given MS Windows,
> in the capacity of a service host, can authenticate a skewed client
> with
> 100% success, I am wondering what I am doing wrong in my
> application of
> the MIT krb library. Or, if there is yet-to-be-implemented code in
> the
> library to deal with time skewed clients.
>
> /jc
What's the actual error message it fails with? Is it a clock skew
message, or something else?
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list